Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-28518

CVE-2026-28518: OpenViking Path Traversal Vulnerability

CVE-2026-28518 is a path traversal flaw in OpenViking that allows attackers to write files outside the intended directory via malicious ZIP archives. This post covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-28518 Overview

CVE-2026-28518 is a path traversal vulnerability affecting OpenViking versions 0.2.1 and prior. The vulnerability exists in the .ovpack import handling functionality, which allows attackers to write files outside the intended import directory. By crafting malicious ZIP archives containing traversal sequences, absolute paths, or drive prefixes in member names, attackers can overwrite or create arbitrary files with the privileges of the importing process.

This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as a "Zip Slip" attack. The flaw stems from insufficient validation of file paths within ZIP archive members during the import process.

Critical Impact

Successful exploitation allows attackers to write arbitrary files to the filesystem, potentially leading to code execution, configuration tampering, or system compromise with the privileges of the OpenViking process.

Affected Products

  • OpenViking versions 0.2.1 and prior
  • All OpenViking installations using .ovpack import functionality
  • Versions prior to commit 46b3e76

Discovery Timeline

  • 2026-03-03 - CVE-2026-28518 published to NVD
  • 2026-03-03 - Last updated in NVD database

Technical Details for CVE-2026-28518

Vulnerability Analysis

The vulnerability resides in the .ovpack import handling mechanism within OpenViking. When processing ZIP archives (.ovpack files), the application fails to properly sanitize and validate the paths of files contained within the archive before extraction. This allows an attacker to include directory traversal sequences such as ../ or absolute paths in the ZIP member names.

The attack requires local access and user interaction, as a victim must import a maliciously crafted .ovpack file. Once imported, the vulnerable code extracts files to locations outside the intended import directory, enabling arbitrary file writes with the permissions of the running process. This could result in overwriting critical configuration files, placing malicious executables in startup directories, or modifying application code.

Root Cause

The root cause is improper input validation in the openviking/storage/local_fs.py module. The code did not adequately validate ZIP archive member names to ensure extracted files remain within the designated target directory. The absence of path canonicalization and boundary checks allowed traversal sequences to escape the intended extraction directory.

Attack Vector

The attack requires local access to the system where OpenViking is installed. An attacker must convince a user to import a malicious .ovpack file, which is essentially a ZIP archive with specially crafted member paths. The attack vector can be exploited through:

  1. Social engineering to deliver malicious .ovpack files
  2. Supply chain attacks where legitimate-looking packages contain malicious traversal paths
  3. Compromised package repositories serving poisoned .ovpack files
python
# SPDX-License-Identifier: Apache-2.0
 import json
 import os
+import re
 import zipfile
 from datetime import datetime
 from typing import cast

Source: GitHub Commit 46b3e76

The security patch adds the re module import, which is used to implement proper path validation and sanitization for .ovpack import operations.

Detection Methods for CVE-2026-28518

Indicators of Compromise

  • Unexpected files appearing outside OpenViking's designated data directories
  • Modified system or configuration files coinciding with .ovpack import operations
  • Suspicious .ovpack files containing path traversal sequences (../, absolute paths, or Windows drive prefixes)
  • Log entries showing file extraction to unexpected directories

Detection Strategies

  • Monitor file system operations during .ovpack import activities for writes outside expected directories
  • Implement file integrity monitoring on critical system directories and configuration files
  • Analyze imported .ovpack files for member names containing traversal patterns (../, ..\\, or absolute paths)
  • Review OpenViking logs for unusual import operations or error messages related to path handling

Monitoring Recommendations

  • Enable detailed logging for OpenViking import operations
  • Implement real-time file system monitoring for directories commonly targeted by path traversal attacks
  • Configure alerts for file creation or modification in sensitive directories during import workflows
  • Periodically audit OpenViking data directories for anomalous file structures

How to Mitigate CVE-2026-28518

Immediate Actions Required

  • Upgrade OpenViking to a version containing commit 46b3e76 or later
  • Review recently imported .ovpack files for potential malicious content
  • Audit file system for unexpected files that may have been written during exploitation
  • Restrict .ovpack import permissions to trusted users until patching is complete

Patch Information

The vulnerability has been fixed in commit 46b3e76e28b9b3eee73693720c9ec48820228b72. Organizations should update to any OpenViking release that includes this commit. The patch refines .ovpack import validation by implementing proper path sanitization using regular expressions to prevent traversal sequences from escaping the intended directory.

For more details, refer to the GitHub Commit Record, the GitHub Issue Report, and the VulnCheck Security Advisory.

Workarounds

  • Disable or restrict access to the .ovpack import functionality until the patch can be applied
  • Implement application-level controls to validate .ovpack files before import using external ZIP inspection tools
  • Run OpenViking with minimal filesystem permissions to limit the impact of potential exploitation
  • Use containerization or sandboxing to isolate OpenViking from critical system directories
bash
# Configuration example - Restrict OpenViking data directory permissions
chmod 750 /var/lib/openviking/
chown openviking:openviking /var/lib/openviking/

# Verify no traversal sequences in .ovpack files before import
unzip -l suspicious.ovpack | grep -E '\.\.\/|^\/' && echo "WARNING: Potential path traversal detected"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.